1. Introduction
This Privacy Policy explains how Zelfium Inc. ("Zelfium," "we," "us," or "our"), a company incorporated in Tokyo, Japan, collects, uses, stores, and protects your personal data when you use our personality assessment platform at zelfium.com and all related services, including Zelfium Affinia (relationship compatibility) and Zelfium Libra (career pathing).
Data Controller: Zelfium Inc., 1-22-11 Ginza, Chuo-ku, Tokyo, Japan
Contact: contact@zelfium.com
Effective date: March 31, 2026
By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. This policy applies to all users worldwide and addresses obligations under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Japan's Act on the Protection of Personal Information (APPI), and other applicable data protection laws.
This Privacy Policy should be read together with our Terms of Service, Cookie Policy, Acceptable Use Policy, Data Processing Agreement, B2B Terms, and Tokushoho Disclosure.
2. Data We Collect
We collect the following categories of personal data when you interact with our services:
2.1 Account Data
- Email address (required)
- First name and last name (required)
- Nickname (optional)
- Phone number (optional)
2.2 Authentication Data
- Passwords, which are cryptographically hashed before storage and are never stored in plain text
- OAuth tokens when you sign in via Google, Microsoft, or Apple (used solely for authentication; we do not access your contacts, calendar, or other account data from these providers)
2.3 Assessment Data
- Your responses to our 77 Likert-scale personality assessment questions (values ranging from 0 to 6)
- Response times recorded for each individual question
2.4 Assessment Results
- 8 main scale scores: Extraversion/Introversion (E/I), iNtuition/Sensing (N/S), Thinking/Feeling (T/F), Judging/Perceiving (J/P), Cooperative/Mavericks (C/M), Harmony-seeking/Decisive (H/D), Routine-oriented/Open-to-change (R/O), Urgent/Laid-back (U/L)
- 16 subscale scores
- 41 component scores
- Personality type classification
2.5 AI Chat Data
- Messages you send to our AI-powered chat features
- AI-generated responses
- Conversation history and metadata
2.6 Payment Data
All payment processing is handled by Stripe. Zelfium does not store, process, or have access to your full credit card numbers, debit card numbers, or bank account details. We receive only a transaction identifier, payment status, amount, and the last four digits of your card for display purposes.
2.7 Technical Data
- IP address
- Browser type and version
- Device type and operating system
- Access timestamps
- Referrer URL
2.8 Cookies
We use functional cookies only. We do not use advertising, tracking, or analytics cookies. The cookies we set are:
| Cookie Name | Type | Duration | Purpose |
|---|---|---|---|
zelfium_access_token | HTTP-only, Secure | ~15 minutes | Session authentication |
zelfium_refresh_token | HTTP-only, Secure | 7 days | Session renewal |
| Supabase session cookies | HTTP-only, Secure | Session-based | Authentication provider session management |
For more details, see our Cookie Policy.
3. Special Category / Sensitive Data
Your personality assessment data—including question responses, scale scores, subscale scores, component scores, and personality type classification—may constitute special category data relating to psychological profiling under Article 9 of the GDPR.
We process this data on the following basis:
- Explicit consent (GDPR Art. 9(2)(a)): Before you begin any assessment, we obtain your explicit, informed, and freely-given consent through a clear consent mechanism. You may withdraw this consent at any time.
Additional Safeguards
- Assessment data is encrypted at rest and in transit using industry-standard encryption protocols.
- Access to raw assessment data is strictly limited to authorized personnel and automated systems required for service delivery.
- Assessment data is never shared with third parties for their own purposes.
- We conduct regular data protection impact assessments (DPIAs) on our assessment processing activities.
Automated Profiling & Decision-Making (GDPR Art. 22)
Zelfium uses automated profiling to generate personality profiles from your assessment responses. Additionally, Zelfium Libra provides automated career path recommendations based on your personality dimensions.
Zelfium does not use automated processing to make decisions that produce legal effects or similarly significant effects concerning you. Our assessments and career recommendations are informational insights for your personal use only. No employment decisions, credit decisions, insurance decisions, or other legally consequential determinations are made by Zelfium based on your assessment results.
Under GDPR Article 22, you have the right:
- Not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects concerning you
- To request human intervention in any automated assessment or recommendation
- To express your point of view and contest any automated decision or profile
- To request an explanation of the logic involved in automated profiling, to the extent possible without disclosing proprietary trade secrets
Human oversight mechanisms are available upon request. To exercise any of these rights, please contact us at contact@zelfium.com.
4. How We Use Your Data
We use your personal data for the following purposes:
4.1 Service Provision
- Administering your personality assessments and generating your results
- Providing compatibility analyses (Zelfium Affinia) and career pathing insights (Zelfium Libra)
- Displaying your results, scores, and personality profile
4.2 AI Features
- Powering AI chat interactions that help you explore and understand your assessment results
- Providing personalized insights and recommendations through AI-driven conversation
4.3 Account Management
- Creating and maintaining your user account
- Authenticating your identity when you sign in
- Managing your account preferences and settings
4.4 Payment Processing
- Processing subscription payments and one-time purchases
- Managing billing, invoices, and refunds
4.5 Service Improvement
- Analyzing aggregate, anonymized usage patterns to improve the platform experience
- Monitoring system performance, uptime, and error rates
- We never use individual, identifiable data for general service improvement without explicit consent
4.6 Research (Opt-In Only)
- If you voluntarily opt into our Research Data Program (see Section 10), your irreversibly anonymized assessment data may be used for academic and scientific research
4.7 Legal Obligations
- Complying with applicable laws, regulations, and legal processes
- Maintaining records required for tax and audit purposes
4.8 Communications
- Sending transactional emails (account verification, password resets, payment receipts)
- Notifying you of material changes to our services, terms, or policies
- Responding to your support inquiries and feedback
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases under the GDPR:
| Legal Basis | Processing Activities |
|---|---|
| Explicit Consent (Art. 6(1)(a) & Art. 9(2)(a)) | Personality assessment data collection and processing; AI chat features that reference your assessment data; participation in the Research Data Program |
| Performance of a Contract (Art. 6(1)(b)) | Account creation and management; providing the core service (assessment delivery, results display, compatibility and career features); payment processing |
| Legitimate Interest (Art. 6(1)(f)) | Platform security and fraud prevention; aggregated analytics for service improvement; technical logging for system reliability |
| Legal Obligation (Art. 6(1)(c)) | Tax record retention; financial audit compliance; responding to lawful government requests |
Where we rely on consent, you may withdraw it at any time by contacting us at contact@zelfium.com or through your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
6. Third-Party Data Sharing
We share personal data only with trusted third-party service providers ("data processors") who assist us in operating our platform. Each processor is bound by a Data Processing Agreement (DPA) that requires them to process your data only on our instructions and in compliance with applicable data protection laws.
| Provider | Location | Purpose | Data Shared | Safeguards |
|---|---|---|---|---|
| Supabase Inc. | San Francisco, USA | Database hosting & authentication | Account data, authentication tokens, assessment data and results, AI chat data | SOC 2, encryption at rest & in transit, SCCs |
| Stripe Inc. | San Francisco, USA | Payment processing | Name, email, payment method details (handled directly by Stripe) | PCI DSS Level 1, SOC 2, SCCs |
| OpenAI LLC | San Francisco, USA | AI inference (GPT-4o) | Chat messages and relevant assessment context sent per request; OpenAI operates under a zero-retention API policy and does not use our data for model training | Zero-retention API, SOC 2, SCCs |
| Vercel Inc. | San Francisco, USA | Frontend hosting & CDN | Technical data (IP address, request metadata) as part of standard web hosting | SOC 2, edge encryption, SCCs |
| Google / Microsoft / Apple | United States | OAuth authentication only | Authentication tokens and basic profile information (name, email) as authorized by you during sign-in | SOC 2, SCCs |
For organizational (B2B) customers, additional sub-processor obligations and restrictions are set forth in our Data Processing Agreement (DPA) and B2B Terms.
What We Do Not Do
- We do not sell your personal data to any third party, ever.
- We do not share your data with advertisers or advertising networks.
- We do not allow third parties to use your data for their own independent purposes.
- We do not engage in data brokering or provide personal data to data aggregators.
7. International Data Transfers
Zelfium Inc. is based in Japan. All of our third-party data processors are located in the United States. This means your personal data may be transferred to, stored in, and processed in the United States.
7.1 Safeguards for EU/EEA Users
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transferred from the EU/EEA to the United States.
- Japan has received an adequacy decision from the European Commission, meaning data transfers from the EU to Japan are recognized as providing an adequate level of data protection.
- We assess and monitor the data protection practices of all processors to ensure ongoing compliance.
7.2 Safeguards for Japanese Users (APPI Art. 28)
In accordance with Japan's Act on the Protection of Personal Information (APPI), we provide the following information regarding cross-border transfers of personal data to each third-party processor, as required by Article 28:
- Supabase Inc. (United States) — The United States does not have an APPI-equivalent adequacy designation. Zelfium ensures equivalent protection through contractual safeguards (DPA/SCCs) and confirms that Supabase maintains SOC 2 certification and encryption standards.
- Stripe Inc. (United States) — Protection ensured through contractual safeguards (DPA/SCCs), PCI DSS Level 1 compliance, and SOC 2 certification.
- OpenAI LLC (United States) — Protection ensured through contractual safeguards (DPA/SCCs), zero-retention API policy, and SOC 2 certification. No personal data is retained by OpenAI after processing.
- Vercel Inc. (United States) — Protection ensured through contractual safeguards (DPA/SCCs), SOC 2 certification, and edge encryption.
Information about the personal information protection systems of recipient countries is available upon request by contacting contact@zelfium.com.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | While your account is active + 30 days after deletion | Service provision; 30-day grace period allows account recovery |
| Assessment data and results | While your account is active | Required to provide your personality profile, compatibility, and career pathing features |
| AI chat data | 90 days from creation | Provides conversation history; automatically purged after 90 days |
| Payment records | 7 years | Tax and financial audit compliance (legal obligation) |
| Audit logs | 1 year | Security monitoring and incident investigation |
| Anonymized research data | Indefinite | Irreversibly anonymized and no longer personal data; used for ongoing research |
When you delete your account, we remove or anonymize your personal data within the timeframes listed above, except where retention is required by law.
9. Your Rights
Depending on your location and applicable law, you have the following rights regarding your personal data:
9.1 Rights Under the GDPR (EU/EEA/UK)
Under Articles 15 through 22 of the GDPR, you have the right to:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Data Portability (Art. 20): Receive your personal data in a structured, commonly-used, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interest.
- Withdraw Consent (Art. 7(3)): Withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
- Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Zelfium uses automated profiling for personality assessment and career recommendations but does not make legally consequential decisions based solely on automated processing. You may request human intervention, express your point of view, and contest automated decisions. See Section 3 for details.
9.2 Rights Under the CCPA (California, USA)
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: Zelfium does not sell personal information, so this right is not applicable. However, you may still submit such a request and we will confirm our non-sale status.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
9.3 Rights Under the APPI (Japan)
- Disclosure: Request disclosure of the personal information we hold about you and the purposes for which it is used.
- Correction: Request correction, addition, or deletion of inaccurate personal information.
- Cessation of Use: Request that we stop using or delete your personal information if it was obtained improperly or is no longer needed.
- Cessation of Third-Party Provision: Request that we stop providing your personal information to third parties.
9.4 How to Exercise Your Rights
To exercise any of the rights listed above, please contact us at contact@zelfium.com with the subject line "Privacy Rights Request." Please include:
- Your full name and the email address associated with your account
- The specific right(s) you wish to exercise
- Any additional details that may help us locate your data
9.5 Response Timeline
- GDPR requests: We will respond within 30 days of receiving your request. If we need additional time due to complexity or volume, we will notify you of an extension (up to 60 additional days) within the initial 30-day period.
- CCPA requests: We will respond within 45 days of receiving your request. If we need additional time, we will notify you of an extension (up to 45 additional days).
- APPI requests: We will respond without delay, in accordance with applicable regulations.
9.6 Identity Verification
To protect your privacy, we may need to verify your identity before processing your request. We will ask you to confirm details associated with your account. We will not request sensitive information (such as government-issued IDs) unless strictly necessary and proportionate.
10. Research Data Program
Zelfium offers a voluntary Research Data Program that allows you to contribute your anonymized assessment data to personality science research.
10.1 Opt-In Only
Participation is entirely voluntary and opt-in. You will never be enrolled automatically. You can choose to opt in or out at any time through your account settings.
10.2 Irreversible Anonymization
Before any data enters the research dataset, it undergoes irreversible anonymization. Once anonymized, the data cannot be traced back to you or re-identified by anyone, including Zelfium.
10.3 What Is Included
- Main scale scores (8 scales)
- Subscale and component score patterns
- Basic demographic information you have provided (e.g., age range, general location), if applicable
- Aggregate response patterns
10.4 What Is Never Included
- Names, email addresses, or any directly identifying information
- Individual question-level responses that could be linked to you
- IP addresses or device identifiers
- Any data that could reasonably be used to re-identify you
10.5 Withdrawal
You may withdraw from the Research Data Program at any time. Upon withdrawal, no further data will be contributed. However, because previously contributed data has been irreversibly anonymized, it cannot be identified or removed from existing research datasets. Withdrawal applies to future contributions only.
10.6 Publication Policy
Research findings derived from the anonymized dataset may be published in academic journals, conference proceedings, or publicly available reports. All publications use aggregate statistics only; no individual results are ever published.
10.7 No Commercial Sale
Anonymized research data is never sold to third parties. It is used exclusively for scientific and academic purposes to advance the understanding of personality psychology.
11. Children's Data
Zelfium is not directed at children and we do not knowingly collect personal data from children.
- Under the GDPR, we do not knowingly process personal data of individuals under the age of 16 without parental or guardian consent.
- Under COPPA (Children's Online Privacy Protection Act, USA), we do not knowingly collect personal information from children under the age of 13.
Age Verification
During account registration, users are required to confirm that they meet the applicable minimum age requirement. We may implement additional age verification measures as appropriate.
Parental Consent
If a user between the ages of 13 and 16 (or the applicable age of consent in their jurisdiction) wishes to use our services, we require verifiable parental or guardian consent before processing their personal data.
Discovery of Underage Data
If we discover that we have inadvertently collected personal data from a child below the applicable age threshold without proper consent, we will take prompt steps to delete that data and terminate the associated account. If you believe we have collected data from a child, please contact us immediately at contact@zelfium.com.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
12.1 Encryption
- In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- At rest: Personal data stored in our databases is encrypted using AES-256 or equivalent encryption standards.
12.2 Access Controls
- Access to personal data is restricted on a need-to-know basis, following the principle of least privilege.
- Authentication credentials (passwords) are stored using industry-standard cryptographic hashing algorithms with salting.
- Administrative access requires multi-factor authentication.
12.3 Regular Reviews
- We conduct regular security reviews and vulnerability assessments of our systems and infrastructure.
- We monitor for unauthorized access attempts and security anomalies.
- Our third-party processors are assessed for security compliance before engagement and on an ongoing basis.
12.4 Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (GDPR Article 34).
- We will document all breaches, their effects, and remedial actions taken, regardless of whether notification thresholds are met.
13. Data Protection Contact
13.1 Privacy Inquiries
For any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us at:
Zelfium Inc.
Email: contact@zelfium.com
Subject line: "Privacy Inquiry"
13.2 EU Representative
As required under GDPR Article 27, if Zelfium does not have an establishment in the EU but processes personal data of EU residents, we will appoint an EU representative and publish their contact details here. Please contact us at contact@zelfium.com for current representative information.
13.3 Supervisory Authority
If you are located in the EU/EEA or UK and believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
If you are located in Japan and wish to file a complaint, you may contact the Personal Information Protection Commission (PPC) at https://www.ppc.go.jp/en/.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
14.1 Notification Process
- Non-material changes (clarifications, formatting, typographical corrections): We will update the effective date at the top of this policy. Continued use of our services after the update constitutes acceptance.
- Material changes (new data categories, new third parties, changes to your rights, changes to data retention periods): We will notify you at least 30 days before the changes take effect via:
- An email to the address associated with your account
- A prominent notice within the Zelfium platform
14.2 Material Changes
The following types of changes are considered material:
- New categories of personal data being collected
- New third-party processors receiving your personal data
- Changes to data retention periods
- Changes to the legal basis for processing
- Changes affecting your rights or how to exercise them
- Changes to international data transfer mechanisms
Where material changes require your consent (such as new processing of special category data), we will obtain your explicit consent before implementing the change. If you do not consent, the prior version of the policy will continue to apply to your existing data.
14.3 Prior Versions
Prior versions of this Privacy Policy are available upon request by contacting contact@zelfium.com.